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CLAIMS 



What is claimed is: 

5 LA method for controlling subscriber access in a network capable of establishing 
connections with a plurality of domains, comprising: 

receiving a communication from a subscriber using a first communication network 
coupled to at least one other communication network, said communication 
optionally including a domain identifier associated with a domain on said at least 
10 one other communication network; 



determining whether said subscriber is authorized to access said domain based upon 
said domain identifier and a list of authorized domains for a virtual circuit used 
to receive said communication; 

authorizing subscriber access to said domain when said domain identifier is included 



2. The method of claim 1, further comprising terminating said communication when 
said domain identifier is not included in said list. 

20 3. The method of claim 1 wherein said communication comprises a Point-to-Point 
Protocol (PPP) session. 

4. The method of claim 3 wherein 

said PPP session comprises a tunneling session; 
25 said determining further comprises assigning a tunnel ID; and 



15 



in said list. 
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said PPP session is forwarded onto a tunnel associated with said tunnel ID when said 
subscriber is authorized to access said domain. 

The method of claim 4 wherein said tunneling session comprises an L2TP session. 

The method of claim 5 wherein said determining further comprises: 
issuing an authorized domain list request including a virtual circuit identifier; 
receiving an authorized domain list that includes authorized domains for said 
identifier; 

indicating said domain is unauthorized when said domain name is not in said domain 
list; 

indicating said domain is authorized when said domain name is in said domain list; 
issuing a tunnel ID request including said domain name when said domain name is 

authorized; and 
receiving a tunnel ID. 

The method of claim 6 wherein 

said authorized domain list request is serviced by an AAA server; and 
an AAA server services said tunnel ID request. 

The method of claim 6 wherein said virtual circuit identifier comprises a VPI/VCI 
identifier. 
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9. The method of claim 5 wherein said determining further comprises: 
issuing a tunnel ID request including said domain name and a virtual circuit 

identifier; and 
receiving a tunnel ID. 

10. The method of claim 9 wherein an AAA server services said tunnel ID request. 

1 1 . The method of claim 9 wherein said virtual circuit identifier comprises a VPI/VCI 
identifier. 

12. The method of claim 5 wherein said determining further comprises: 

performing a table lookup based on a virtual circuit identifier to obtain an authorized 
domain list that includes authorized domains for said virtual circuit identifier; 

indicating said domain is unauthorized when said domain name is not in said 
authorized domain list; 

indicating said domain is authorized when said domain name is in said authorized 
domain list; and 

performing a table lookup based on said domain name to obtain a tunnel ID when 
said domain name is authorized. 

13. The method of claim 12 wherein said virtual circuit identifier comprises a VPI/VCI 

o 

identifier. 

14. A program storage device readable by a machine, embodying a program of 
instructions executable by the machine to perform a method to control subscriber 
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access in a network capable of establishing connections with a plurality of domains, 
the method comprising: 

receiving a communication from a subscriber using a first communication network 
coupled to at least one other communication network, said communication 
optionally including a domain identifier associated with a domain on said at least 
one other communication network; 

determining whether said subscriber is authorized to access said domain based upon 
said domain identifier and a list of authorized domains for a virtual circuit used 
to receive said communication; 

authorizing subscriber access to said domain when said domain identifier is included 
in said list. 

15. The program storage device of claim 14, further comprising terminating said 
communication when said domain identifier is not included in said list. 

16. The program storage device of claim 14 wherein said communication comprises a 
Point-to-Point Protocol (PPP) session. 

17. The program storage device of claim 16 wherein 
said PPP session comprises a tunneling session; 

said determining further comprises assigning a tunnel ID; and 

said PPP session is forwarded onto a tunnel associated with said tunnel ID when said 
subscriber is authorized to access said domain. 
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18. The program storage device of claim 17 wherein said tunneling session comprises an 
L2TP session. 

5 19. The program storage device of claim 18 wherein said determining further comprises: 
issuing an authorized domain list request including a virtual circuit identifier; 
receiving an authorized domain list that includes authorized domains for said 
identifier; 

indicating said domain is unauthorized when said domain name is not in said domain 
10 list; 

indicating said domain is authorized when said domain name is in said domain list; 
issuing a tunnel ID request including said domain name when said domain name is 

authorized; and 
receiving a tunnel ID. 

15 

20. The program storage device of claim 19 wherein 

said authorized domain list request is serviced by an AAA server; and 
an AAA server services said tunnel ID request. 

20 21. The program storage device of claim 19 wherein said virtual circuit identifier 
comprises a VPI/VCI identifier. 

22. The program storage device of claim 18 wherein said determining further comprises: 
issuing a tunnel ID request including said domain name and a virtual circuit 
25 identifier; and 

receiving a tunnel ID. 
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23. The program storage device of claim 22 wherein an AAA server services said tunnel 
ID request. 

24. The program storage device of claim 22 wherein said virtual circuit identifier 
comprises a VPI/VCI identifier. 

25. The program storage device of claim 18 wherein said determining further comprises: 
performing a table lookup based on a virtual circuit identifier to obtain an authorized 

domain list that includes authorized domains for said virtual circuit identifier; 
indicating said domain is unauthorized when said domain name is not in said 

authorized domain list; 
indicating said domain is authorized when said domain name is in said authorized 

domain list; and 

performing a table lookup based on said domain name to obtain a tunnel ID when 
said domain name is authorized. 

26. The program storage device of claim 25 wherein said virtual circuit identifier 
comprises a VPI/VCI identifier. 

27. An apparatus for controlling subscriber access in a network capable of establishing 
connections with a plurality of domains, the apparatus comprising: 

means for receiving a communication from a subscriber using a first communication 
network coupled to at least one other communication network, said 
communication optionally including a domain identifier associated with a 
domain on said at least one other communication network; 
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means for determining whether said subscriber is authorized to access said domain 
based upon said domain identifier and a list of authorized domains for a virtual 
circuit used to receive said communication; 
5 means for authorizing subscriber access to said domain when said domain identifier is 

included in said list. 

28. The apparatus of claim 27, further comprising means for terminating said 
communication when said domain identifier is not included in said list. 

10 

29. The apparatus of claim 27 wherein said communication comprises a Point-to-Point 
Protocol (PPP) session. 

30. The apparatus of claim 29 wherein 

15 said PPP session comprises a tunneling session; 

said determining further comprises means for assigning a tunnel ID; and 
said PPP session is forwarded onto a tunnel associated with said tunnel ID when said 
subscriber is authorized to access said domain. 

20 31. The apparatus of claim 30 wherein said tunneling session comprises an L2TP session. 

32. The apparatus of claim 29 wherein said determining further comprises: 

means for issuing an authorized domain list request including a virtual circuit 
identifier; 

25 means for receiving an authorized domain list that includes authorized domains for 

said identifier; 
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means for indicating said domain is unauthorized when said domain name is not in 
said domain list; 

means for indicating said domain is authorized when said domain name is in said 
domain list; 

means for issuing a tunnel ID request including said domain name when said domain 

name is authorized; and 
means for receiving a tunnel ID. 




33. The apparatus of claim 32 wherein 

said authorized domain list request is serviced by an AAA server; and 
an AAA server services said tunnel ID request. 

34. The apparatus of claim 32 wherein said virtual circuit identifier comprises a VPFVCI 
identifier. 

35. The apparatus of claim 31 wherein said determining further comprises: 
means for issuing a tunnel ID request including said domain name and a virtual 

circuit identifier; and 
means for receiving a tunnel ID. 

36. The apparatus of claim 35 wherein an AAA server services said tunnel ID request. 

37. The apparatus of claim 35 wherein said virtual circuit identifier comprises a VPFVCI 
identifier. 
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38. The apparatus of claim 31 wherein said determining further comprises: 

means for performing a table lookup based on a virtual circuit identifier to obtain an 
authorized domain list that includes authorized domains for said virtual circuit 
identifier; 

means for indicating said domain is unauthorized when said domain name is not in 

said authorized domain list; 
means for indicating said domain is authorized when said domain name is in said 

authorized domain list; and 
means for performing a table lookup based on said domain name to obtain a tunnel ID 

when said domain name is authorized. 

39. The apparatus of claim 38 wherein said virtual circuit identifier comprises a VPI/VCI 
identifier. 

40. An access server capable of forcing subscribers of a communications system to gain 
access exclusively to a domain network associated with a virtual circuit, said access 
server comprising: 

an authorized domain list request generator capable of generating an authorized 
domain list request including a virtual circuit identifier associated with a virtual 
circuit used to accept a PPP session authentication request, said PPP session 
authentication request including a domain identifier; 

an assessor capable of determining whether said domain identifier is in said domain 
list; 
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a tunnel ID request generator capable of generating a tunnel ID request including said 

domain identifier; and 
an authorizer capable of granting users domain access based upon said authorized 
5 domain list. 

41. The access server of claim 40, further comprising: 

a first receiving interface capable of accepting said PPP session authentication 
10 request; 

a first forwarding interface capable of sending said authorized domain list request to 
an AAA server; 

a second receiving interface capable of accepting a requested authorized domain list; 
a second forwarding interface capable of sending said tunnel ID request to an AAA 
15 server; 

a third receiving interface capable of accepting a requested tunnel ID; and 
a third forwarding interface capable of forwarding said PPP session on a tunneling 
session associated with said tunnel ID. 

20 

42. The access server of claim 40 wherein said tunneling session comprises an L2TP 
session. 

43. The access server of claim 42 wherein said virtual circuit identifier comprises a 
25 Virtual Path Identifier (VPI) / Virtual Channel Identifier (VCI). 
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44. The access server of claim 43 wherein said first receiving interface comprises at least 
one access multiplexer, each access multiplexer having a plurality of inputs for 
receiving a service request, each of said inputs being associated with a particular 
subscriber virtual circuit. 

45. The access server of claim 41 wherein said AAA server and said access server 
communicate using the Remote Authorization Dial-In User Service (RADIUS) 



46. An access server capable of forcing subscribers of a communications system to gain 
access exclusively to a domain network associated with a virtual circuit, said access 
server comprising: 

a tunnel ID request generator capable of generating a tunnel ID request, said tunnel 
ID request including a virtual circuit identifier associated with a virtual circuit 
used to accept a PPP authentication request; and 

an authorizer capable of granting users domain access based upon a list of authorized 
domains for said virtual circuit. 

47. The access server of claim 46, further comprising: 

a first receiving interface capable of accepting said PPP session authentication 

request, said PPP session authentication request including a domain identifier; 
a first forwarding interface capable of sending said tunnel ID request to an AAA 



protocol. 



server; 
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a second receiving interface capable of accepting a requested tunnel ID; and 
a second forwarding interface capable of forwarding said PPP session on a tunneling 
session associated with said tunnel ID. 

5 

48. The access server of claim 47 wherein said tunneling session comprises an L2TP 
session. 

49. The access server of claim 48 wherein said virtual circuit identifier comprises a 
Virtual Path Identifier (VPI) / Virtual Channel Identifier (VCI). 

50. The access server of claim 46 wherein said first receiving interface comprises at least 
one access multiplexer, each access multiplexer having a plurality of inputs for 
receiving a service request, each of said inputs being associated with a particular 
subscriber virtual circuit. 

51. The access server of claim 47 wherein said AAA server and said access server 
communicate using the Remote Authorization Dial-In User Service (RADIUS) 
protocol. 

52. An access server capable of forcing subscribers of a communications system to gain 
access exclusively to a domain network associated with a virtual circuit, said access 
server comprising: 

25 a memory device capable of storing a domain list table and a tunnel ID table, said 

domain list table including a plurality of virtual circuit identifiers and associated 
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domain identifiers, said tunnel ID table including a plurality of domain names 

and associated tunnel IDs; 
an authorized domain list determiner capable of determining an authorized domain 

list based upon said domain list table and a domain identifier within a PPP 

authentication request, said PPP authentication request received on a virtual 

circuit having a virtual circuit identifier; 
an assessor capable of determining whether said domain identifier is in said domain 

list; 

a tunnel ID determiner capable of determining a tunnel ED based upon said tunnel ID 

table and said domain identifier; and 
an authorizer capable of granting subscribers domain access based upon said 

authorized domain list. 

53. The access server of claim 51, further comprising: 

a receiving interface capable of accepting said PPP session authentication request; 
and 

a forwarding interface capable of forwarding said PPP session on a tunneling session 
associated with said tunnel ID. 

54. The access server of claim 53 wherein said tunneling session comprises an L2TP 
session. 
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55. The access server of claim 54 wherein said virtual circuit identifier comprises a 
Virtual Path Identifier (VPI) / Virtual Channel Identifier (VCI). 

56. The access server of claim 52 wherein said first receiving interface comprises at least 
one access multiplexer, each access multiplexer having a plurality of inputs for 
receiving a service request, each of said inputs being associated with a particular 
subscriber virtual circuit. 
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